New NIST Standards, IR Plans and More: October Cyber News Bytes

Federal Contractors Must Adhere to NIST Standards

A recent memorandum dated 9/14/2022 outlined requirements for federal agencies regarding software use. The memorandum states that agencies must use software from producers that attest compliance with National Institute of Standards and Technology (NIST) issued secure software development guidance. These new requirements apply to third-party software used on government systems or systems that otherwise “affect” government information. It will apply to software developed after the 9/14/22 memorandum date, as well as to existing software that is modified by any major version changes after 9/14/22.   Software products can provide the required attestation either through self-attestation or a third-party assessment.  A recent National Law Review article outlines the timeline for key milestones and guidance on what contractors should do next.

Preparing an IR Plan

In this two-part article from NetDiligence (Part 1 & Part 2), CrowdStrike Director of Advisory Services Eben Kaplan explains the effectiveness of having an Incident Response Plan (IRP). Having an IRP in place prepares you for what to do and when to act during a cyberattack, data breach or incident. In preparing your IRP, some key elements that the plan should cover include preparation, detection and analysis, containment, eradication, recovery and post-incident activity. A few helpful tools and services available to assist in creating IRP’s are Breach Plan Connect (BPC), Surefire Cyber and CrashPlan.

When planning your Incident Response Plan (IRP), think of it as a fire drill. It is not enough to just have the plan in place for when an incident may happen, you must also ensure your team knows how to act on the plan. Cybersecurity “fire drills,” also known as tabletop exercises, should be conducted on a regular basis. Running these exercises will help to make sure the IRP is sound and does not have any oversights, gaps or needed areas of improvement. In the second article, Billy Gouveia of Surefire Cyber explains the importance of putting your IRP into action and how to run a data breach fire drill. RCM&D demonstrated a tabletop exercise as part of a recent webinar series, which you can view here. 

Top Security Safeguards

Mounting claims activity, most notably ransomware and business email compromise claims, have created the need for a much more vigilant underwriting process for cyber insurers.  As Corvus’s Jason Rebholz notes in a recent post by IT Brew, long gone are the days when an organization could secure cyber coverage via a two-question application.  Prospective insureds must undertake a significantly more robust process, designed to identify strengths and weaknesses within the organization’s cybersecurity program.  Jason accurately explains that insurer focus differs, but leaves readers with five consistent areas of focus for all cyber underwriters. 

Cybersecurity Risk Assessment Framework

The ever-growing amount of data organization’s hold, evolution of technology and remote work, and the maturity of privacy regulation have resulted in data breaches/cybersecurity leading the 2022 Forbes Biggest Risks and Threats for Business list.  The pervasiveness of this risk is creating concern for all business leaders and causing many to look for solutions or approaches to better manage the exposure.  A risk assessment, a process designed to understand and quantify the specific risk in question, is often the most appropriate first step when exploring alternative approaches to managing risk.  The following piece by Michael Cobb of TechTarget provides a five-step framework for performing a cybersecurity risk assessment, designed to support organization’s in the efforts to improve cybersecurity risk management.